Miredo: Teredo IPv6 tunneling for Linux and BSD

Security Advisory 0501

Summary           : Infinite loop in Teredo client
Date              : 02 May 2005
Affected versions : Miredo 0.2.0 to 0.4.2
Miredo-specific   : Yes
Impact            : Remote denial of service
CVE ID            : N/A
ID                : MTFL-SA-0501


Parsing by the Teredo client of Router Advertisement normally sent by the Teredo server suffers from insufficient sanity checks. By sending a carefully crafted UDP packet to Miredo’s Teredo service port, it is possible to cause Miredo to read undefined memory and/or to trigger an infinite loop, effectively denying the Teredo client service.


If conditions are met, Miredo will enter an infinite loop and use all remaining CPU cycle (on one processor) until it is killed (killall -KILL miredo). Teredo tunneling will be completely unusable.

As far as is known, this bug cannot be exploited to run arbitrary code remotely.

Threat mitigation

Exploitation of this bug requires the knowledge of a 64-bits long authentication nonce sent by the Teredo client to the Teredo server. It is hence very unlikely to be caused by third party except in a man-in-the-middle case.

The selected Teredo server MUST be trusted by the client, given the design of the Teredo protocol.


Teredo relays and Teredo servers are unaffected.

Use a trusted Teredo server.


Upgrade to Miredo version 0.4.3.


This bug was discovered internally.




2 May 2005
Patch applied to stable branch - Miredo 0.4.3 released
Bug discovered in Miredo development trunk